What Every Medical Device Manufacturer Needs To Know About HIPAA. By Leigh-Ann M. Patterson, Esq. Nixon Peabody LLP, Partner, HIPAA Task Force

Transcription

1 What Every Medical Device Manufacturer Needs To Know About HIPAA By Leigh-Ann M. Patterson, Esq. Nixon Peabody LLP, Partner, HIPAA Task Force April 6, 2003 The purpose of this HIPAA Law Alert is to explain what HIPAA is and how it is likely to impact the typical medical device manufacturer. I. Brief Overview Of HIPAA A. What is HIPAA? The Health Insurance Portability and Accountability Act of 1996, commonly known as HIPAA, is a complex and multifaceted piece of federal legislation aimed at curing many of the ills of the health care industry. The legal, and technical, answer to What is HIPAA? is that it is a federal statute which created new requirements regulating three different but interconnected areas of the law: (1) insurance portability for employees, (2) civil and criminal fraud enforcement, and (3) simplification of the health care claimpayment process by requiring health care providers to shift from paper-based systems to electronic-based systems with uniform codes and standards. In response to concerns about the privacy of health care information that will now be stored and transmitted electronically, HIPAA also includes a comprehensive set of rules (the Privacy Rule ) which protects sensitive health care information at virtually every stop in the health care system. The information that is protected by HIPAA is called Protected Healthcare Information or PHI, for short. The non-technical short answer to What is HIPAA? is that it is a federal statute that created the first ever comprehensive national privacy protections for medical records.

2 While the insurance portability and fraud enforcement provisions of HIPAA were implemented a number of years ago, the regulations for the Administrative Simplification portion of HIPAA (i.e., the Privacy Rule, the Security Rule and the Transactions and Code Set Rule) have only recently been promulgated. B. Who Must Comply? The applicability of HIPAA depends upon what you do, and not what kind of company or health care provider you are. Many mistakenly think that if their company touches PHI that they must be a Covered Entity. That is not the case. HIPAA only directly regulates Covered Entities. Thus, the starting point for any HIPAA applicability analysis is whether your company falls within one of the three definitions of Covered Entities. HIPAA defines Covered Entities as: Health care providers who engage in HIPAA electronic transactions (e.g., hospitals, physician groups, labs; also includes employers with on-site health care providers such as nurses or clinics, and some functions and programs of pharmaceutical and medical device companies wherein HIPAA electronic transactions are used) Non-health care employers Health plans covers most of corporate America; includes most nonhealth care employers with group health plans (this could include medical and hospital plans, dental plans, prescription drug plans, medical flexible spending accounts, and the like, especially self-insured plans) Health care clearinghouses -- entities that facilitate the processing of health information from standard to nonstandard formats or data, or vice versa. In general, Covered Entities will have the full range of HIPAA compliance obligations, including designating a privacy officer, creating HIPAA policies/procedures, giving privacy training, creating documentation, safeguarding information and entering into Business Associate Agreements. In addition to regulating Covered Entities, HIPAA also indirectly affects those who do business with Covered Entities. HIPAA refers to these entities as Business Associates of Covered Entities. The short, laymen s description of a Business Associate is any entity who performs a service on behalf of a Covered Entity and the service involve the use or disclosure of PHI. The technical definition of a Business Associate is a person who, on behalf of such covered entity, but excluding regular the workforce (employees), performs, or assists in the performance of a function or activity involving the use or disclosure of PHI including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management, and repricing or the provision of services for legal, actuarial, accounting, consulting, data aggregation management, administrative, accreditation, or financial services to or for such covered entity where the provision of the service involves the disclosure of PHI from the covered entity, or from another business associate of the covered entity. Business Associates have fewer compliance obligations than Covered Entities. In short, Business Associates are required to enter into so-called Business Associate Agreements with Covered Entities. These Business Associate Agreements are contracts wherein the Business Associate makes certain representations

3 and assurances about how the Business Associate handles and protects all PHI it receives from the Covered Entity. C. How Does HIPAA Impact The Typical Medical Device Manufacturer? Covered Entities: In general, device manufacturers will typically not fall into the health care provider prong of the definition of a Covered Entity, unless the manufacturer participates in an indigent care program, patient registry program, direct-to-patient care program or some other type of activity wherein the manufacturer provides its device directly to patients and is reimbursed electronically (e.g. Medicare). In that case, the manufacturer will have full HIPAA compliance obligations, including designating a privacy officer, creating HIPAA policies/procedures, giving privacy training, creating documentation, safeguarding information and entering into Business Associate Agreements. Like most of corporate America, device manufacturers will, however, typically fall within the second prong of the definition which covers non-health care employers with group health plans, such as medical and hospital plans, dental plans, prescription drug plans, medical flexible spending accounts, and the like, especially self-insured plans. If this is the case, HIPAA compliance obligations include amending certain plan documents, establishing so-called Chinese walls between those HR employees who handle other employees PHI and those who do not, and other administrative requirements and safeguards. Most device manufacturers will not fall into the third category of Covered Entities, health care clearinghouses. Bear in mind that even if a manufacturer is not be a Covered Entity, if its device creates or handles PHI, then the device must support HIPAA compliance within Covered Entities; this is especially true with respect to devices which are computer-based, connect to an IT network or use wireless links. Remember, devices are not HIPAA compliant, organizations are HIPAA compliant. Business Associates: Most device manufacturers will have business dealings with Covered Entities wherein they will receive PHI from the Covered Entity and be considered a Business Associate. In that case, the manufacturer will be asked to enter into a Business Associate Agreement, wherein it makes certain representations and assurances about how it handles and protects all PHI it receives from the Covered Entities with whom it deals. The manufacturer must also implement policies and procedures to make certain that its employees comply with the Business Associate representations and assurances and adequately protect and safeguard PHI. D. Deadlines for Compliance The HIPAA Compliance deadlines apply to both Covered Entities and Business Associates and are as follows: HIPAA s Privacy Rule April 14, 2003 HIPAA s Security Rule April 21, 2005 HIPAA s Transaction and Code Set Rule October 16, 2002, unless a one-year extension was applied for by October 15, 2002

4 II. What is the Nixon Peabody HIPAA Task Force? In a nutshell: Created in 2001 and composed of members of our Privacy, Litigation, Labor and Employee Benefits, and Health Services Practice Groups Consists of an interdisciplinary team of health care, corporate compliance, litigation, and labor and benefits lawyers. Members of the HIPAA Task Force have been regionally and nationally recognized for their proficiency in these areas and regularly present at regional and national HIPAA conferences. A. Specific Services Provided: We assist clients with HIPAA and related engagements, including gap analysis, compliance, and general privacy assessment and remediation efforts. We help clients develop cost-sensitive implementation plans that meet their organizations needs and the government s timetable. Specific HIPAA services include: Executive briefings and seminars to acquaint top management with HIPAA requirements and compliance issues Counseling concerning the interpretation, application, and implementation of HIPAA within client organizations Policies: Development of privacy and security policies Programs: Privacy assessment, operational compliance, and remediation programs Compliance Documents: Development of HIPAA compliance documents, including policies and procedures, health plan amendments, business associate agreements, authorization forms, and HIPAA compliance checklists Business Associate Agreements: Reviewing existing business arrangements with third parties that permit access to PHI, including those with vendors, agents, and independent contractors, and drafting or reviewing Business Associate Agreements Litigation Avoidance: Litigation avoidance planning, including drafting appropriate policies for HIPAA s criminal and civil penalties and self-reporting obligations Litigation Strategies: Litigation strategies under HIPAA, state privacy laws, and state tort and contract law, including assisting clients to work out practical resolutions of privacy-related disputes B. Representative Experience: Our HIPAA Task Force attorneys have extensive experience shepherding our clients through the complex and ever-changing maze of state and federal health care regulations. Our in-depth understanding of the regulatory framework for HIPAA enables us to strategically structure transactions and modify operations to minimize the risk of regulatory challenges. Representative health care and non-health care clients: Universities Employers with self-funded health plans Large and small health care providers and health care systems

5 Medical groups Long-term care facilities Pharmaceutical, biotechnology, and medical device manufacturers Physician practices Ambulance companies Research entities C. Who You Can Call To Answer All Your HIPAA Questions Nixon Peabody HIPAA Task Force Contacts (by office) Albany, NY Peter Millock Leigh-Ann Patterson founder of Nixon Peabody HIPAA Task Force Boston, MA Garden City, NY Claudia Hinrichsen Orange County, CA Dale Hudson Providence, RI Stephen Zubiago Rochester, NY Richard Yarmel Washington DC Ray Gustini